DOCSLIB.ORG

Nvcool: When Non-Volatile Caches Meet Cold Boot Attacks*

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Nvcool: When Non-Volatile Caches Meet Cold Boot Attacks* NVCool: When Non-Volatile Caches Meet Cold Boot Attacks* Xiang Pan∗, Anys Bachay, Spencer Rudolph∗, Li Zhou∗, Yinqian Zhang∗, Radu Teodorescu∗ ∗The Ohio State University fpanxi, rudolph, zholi, yinqian, [email protected] yUniversity of Michigan [email protected] Abstract—Non-volatile memories (NVMs) are expected to re- Despite all their expected benefits, non-volatile memories place traditional DRAM and SRAM for both off-chip and on- will also introduce new security vulnerabilities as data stored chip storage. It is therefore crucial to understand their security in these memories will persist even after being powered-off. vulnerabilities before they are deployed widely. This paper shows that NVM caches are vulnerable to so-called “cold boot” In particular, non-volatile memory is especially vulnerable attacks, which involve physical access to the processor’s cache. to “cold boot” attacks. Cold boot attacks, as first proposed SRAM caches have generally been assumed invulnerable to cold by Halderman et al. [13], use a cooling agent to lower the boot attacks, because SRAM data is only persistent for a few temperature of DRAM chips before physically removing them milliseconds even at cold temperatures. from the targeted system. Electrical characteristics of DRAM Our study explores cold boot attacks on NVM caches and capacitors at very low temperatures cause data to persist in the defenses against them. In particular, this paper demonstrates that hard disk encryption keys can be extracted from the NVM cache chips for a few minutes even in the absence of power. This in multiple attack scenarios. We demonstrate a reproducible allows the attacker to plug the chips into a different machine attack with very high probability of success. This paper also and scan the memory image in an attempt to extract secret proposes an effective software-based countermeasure that can information. When the memory is implemented using NVM, completely eliminate the vulnerability of NVM caches to cold the cold boot attacks become much simpler and more likely boot attacks with a reasonable performance overhead. to succeed, because data persists through power cycles. To protect against cold boot attacks on main memory, I. INTRODUCTION one approach is to encrypt sensitive data [14]–[21]. Another Non-volatile memory (NVM) such as Spin-Transfer Torque approach is to keep secret keys stored in SRAM-based CPU Random Access Memory (STT-RAM), Phase Change Memory registers, caches, and other internal storage during system ex- (PCM), and Resistive Random Access Memory (ReRAM), ecution [22]–[31]. The rationale behind this design philosophy is a promising candidate for replacing traditional DRAM is that cold boot attacks against on-chip SRAM structures and SRAM memories for both off-chip and on-chip storage are deemed to be extremely difficult. This is because SRAM [1]. NVMs in general have several desirable characteristics data persistence at cold temperatures is limited to a few including non-volatility, high density, better scalability at small milliseconds [32]. feature sizes, and low leakage power [2]–[4]. Prior work has The security implications of implementing the main mem- examined the performance, energy, and reliability implications ory and microprocessor caches with NVM have received little of NVM register files, caches, and main memories [2]–[8]. attention. While memory encryption schemes are feasible, The semiconductor industry is investing heavily in NVM cache encryption is not practical due to low access latency technologies and companies such as Everspin [9] and Crossbar requirements. Cold boot attacks on unencrypted NVM caches [10] are focused exclusively on NVM technologies and have will be a serious concern in practice, especially given the produced NVM chips that are being sold today. A joint effort ubiquity of smart mobile and Internet of Things (IoT) devices, from Intel and Micron has yielded 3D XPoint [11], a new which are more exposed to physical tampering — a typical generation of NVM devices with very low access latency and setup for cold boot attacks. high endurance, expected to come to the market this year. This work examines the security vulnerabilities of micro- Hewlett Packard Enterprise’s ongoing “The Machine” project processors with NVM caches. In particular, we show that [12] is also set to release computers equipped with memristor encryption keys can be retrieved from NVM caches if an technology (also known as ReRAM) as part of enabling attacker gains physical access to the device. Since removing highly scalable memory subsystems. The industry expects non- the processor from a system no longer erases on-chip mem- volatile memory to replace DRAM off-chip storage in the near ory content, sensitive information can be leaked. This paper future, and SRAM on-chip storage in the medium term. demonstrates that AES disk encryption keys can be identified in the NVM caches of a simulated ARM-based system running This work was supported in part by the National Science Foundation under the Ubuntu Linux OS. grants CCF-1253933 and CCF-1629392, and The Ohio Supercomputer Center. We have examined multiple attack scenarios to evaluate the probability of a successful attack depending on the system activity, attack timing, and methodology. In order to search for AES keys in cache images, we adopted the key search algorithm presented in [13] for main memories, and made the necessary modifications to target caches which cover non- Fig. 1: AES-128 key schedule with details on key expansion. contiguous subsets of the memory space. We find that the probability of identifying an intact AES key if the processor is stopped at any random point during execution ranges between following subkeys (also known as round keys) are computed 5% and 100%, depending on the workload and cache size. We from the previously generated subkeys using publicly known also demonstrate a reproducible attack with 100% probability functions such as Rot-Word, Sub-Word, Rcon, EK, and K of success for the system we study. defined in the key expansion algorithm [34]. In each round To counter such threats, this paper proposes an effective of the key generation, the same sequence of functions will be software-based countermeasure. We patch the Linux kernel to executed. Each newly generated subkey will have the same allocate sensitive information into designated memory pages size, e.g. 16 bytes in AES-128. This process repeats a certain that we mark as uncacheable in their page table entries number of rounds (e.g. 10 rounds in AES-128) until the (PTEs). This way secret information will never be loaded expanded key is completely generated. Each subkey from the into vulnerable NVM caches but only stored in main memory expanded key will then be used in separate rounds of AES and/or hard disk, which can be encrypted with a reasonable encryption or decryption algorithms. performance cost. The performance overhead of this coun- termeasure ranges between 2% and 45% depending on the B. ARM’s Cryptographic Acceleration hardware configuration. Many of today’s processors include vectorization support in Overall, this paper makes the following main contributions: the form of Single Instruction Multiple Data (SIMD) engines. • The first work to examine cold boot attacks on non- In ARM processors, the SIMD engine, called NEON, consists volatile caches. of 32 128-bit registers (v0 - v31). Each NEON register can • Two types of cold boot attacks have been performed and conveniently load a 128-bit AES key or a full round of the shown to be effective on non-volatile caches. AES key schedule into a single register obviating the need • A software-based countermeasure has been developed for multiple accesses to the cache or the memory subsystem. and proven to be effective. In addition, ARMv8 introduces cryptographic extensions that • An algorithm for identifying AES keys in cache images include new instructions that can be used in conjunction with has been implemented. NEON for AES, SHA1, and SHA2-256 algorithms. In the AESD The rest of this paper is organized as follows: Section II case of AES, the available instructions are: for single AESE AESIMC provides background information and discusses related work. round decryption, for single round encryption, VMULL Section III explains the threat model. Section IV illustrates for inverse mix columns, and for polynomial multiply our cache-based AES key search algorithm. Section V de- long. In this paper, we explore the use of the NEON engine, scribes our experimental methodology. Section VI presents in addition to the ARMv8 cryptographic extensions. and evaluates two types of cold boot attacks. Section VII C. Cold Boot Attacks and Defenses presents countermeasures and evaluates their effectiveness and performance overhead. Finally, section VIII concludes. The idea of cold boot attacks in modern systems was first explored by Halderman et al. [13]. Their work consisted of II. BACKGROUND AND RELATED WORK extracting disk encryption keys using information present in In this section we provide some background information main memory (DRAM) images preserved from a laptop. The relevant to our study and discuss related work in the context idea of this type of attack builds on the premise that under low of cold boot attacks. temperature conditions, DRAM chips preserve their content for extended time durations. The attack also relies on the A. Advanced Encryption Standard (AES) fact that AES keys can be inferred by examining relationships The Advanced Encryption Standard (AES) [33] is a sym- between subkeys that involve computing the hamming distance metric block cipher that encrypts or decrypts a block of 16 information. The AES key search algorithm has been proposed bytes of data at a time. Both encryption and decryption use the in [13] as well. Muller et al. [35] later expanded cold boot same secret key. The commonly used AES key size is either attacks to mobile devices. When volatile memories such as 128-bit (AES-128), 192-bit (AES-192), or 256-bit (AES-256).
Load more

Recommended publications
  • Operating System Boot from Fully Encrypted Device
    Masaryk University Faculty of Informatics Operating system boot from fully encrypted device Bachelor’s Thesis Daniel Chromik Brno, Fall 2016 Replace this page with a copy of the official signed thesis assignment and the copy of the Statement of an Author. Declaration Hereby I declare that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Daniel Chromik Advisor: ing. Milan Brož i Acknowledgement I would like to thank my advisor, Ing. Milan Brož, for his guidance and his patience of a saint. Another round of thanks I would like to send towards my family and friends for their support. ii Abstract The goal of this work is description of existing solutions for boot- ing Linux and Windows from fully encrypted devices with Secure Boot. Before that, though, early boot process and bootloaders are de- scribed. A simple Linux distribution is then set up to boot from a fully encrypted device. And lastly, existing Windows encryption solutions are described. iii Keywords boot process, Linux, Windows, disk encryption, GRUB 2, LUKS iv Contents 1 Introduction ............................1 1.1 Thesis goals ..........................1 1.2 Thesis structure ........................2 2 Boot Process Description ....................3 2.1 Early Boot Process ......................3 2.2 Firmware interfaces ......................4 2.2.1 BIOS – Basic Input/Output System . .4 2.2.2 UEFI – Unified Extended Firmware Interface .5 2.3 Partitioning tables ......................5 2.3.1 MBR – Master Boot Record .
    [Show full text]
  • A Complete Bibliography of ACM Transactions on Computer Systems
    A Complete Bibliography of ACM Transactions on Computer Systems Nelson H. F. Beebe University of Utah Department of Mathematics, 110 LCB 155 S 1400 E RM 233 Salt Lake City, UT 84112-0090 USA Tel: +1 801 581 5254 FAX: +1 801 581 4148 E-mail: [email protected], [email protected], [email protected] (Internet) WWW URL: http://www.math.utah.edu/~beebe/ 10 August 2021 Version 1.75 Title word cross-reference Accelerating [BJS01]. Accelerator [CZL+15]. Accelerators [LAB+13]. Accent [FR86]. Access [AT83, LZCZ86, LP93, Smi84b, GB01]. arc [GS93]. N [SHG95, Mae85]. Access/Execute [Smi84b]. Accesses [AJ19, HY92, Kel00]. accessing [ACM04]. -Body [SHG95]. accounting [EV03]. accuracy [Jim05]. Accurate [GVM+11, NTW09]. Ace [RR99]. 11/780 [Cla83, CE85]. 1988 [ACM88]. Achieve [LLL+16]. ACM [Jha20]. ACM/SIGOPS [ACM88]. Action [Sch84]. + 2.6 [PTS 14]. 2011 [Mow12]. 2019 [MT20]. Actions [Ree83]. Activations [ABLL92]. active [SJS+00]. Activity 36 [Jha20]. [IRH86, MSB+06]. Ad [BYFK08, FKA10]. Adaptable [AC92]. Adaptation 4 [Jha20]. 432 [CGJ88, CCLP83]. [BS91, AD03, FS04]. Adaptive [ALHH08, AS95, MLS97, CT01]. Address 780 [Cla83, CE85]. [CLFL94, SV99]. Adrenaline [HZL+17]. Affected [IRH86]. Aggregate [AB83]. Abstract [Her86, SS84]. abstraction aggregation [JMB05]. Aggressive [CRL03, Kel00]. Abstractions [SKH+16]. 1 2 [GWSU13]. AI [RDB+21]. Air [CDD96]. al [HKS+83]. Arrays [SHCG94]. Article [Jha20]. Algorithm [Jha20]. Asbestos [VEK+07]. [Bad86, DC85, HBAK86, Lam87, Mae85, Assignments [BGM86]. Assistant Ray89, SK85, Zha91]. Algorithms [HLZ+16]. Assisting [KMG16]. [CM86, GD87, GLM91, KS91, KH92, LA93, Associative [SA95]. Astrolabe [VBV03]. MCS91, San87, Sau83a, Sau83b, TS89, KY04]. Asymmetric [SFKP12]. At-Most-Once allergies [QTZS07]. Allocation [LSW91]. ATC [MT20].
    [Show full text]
  • Revention of Coldboot Attack on Linux Systems Measures to Prevent Coldboot Attack
    Special Issue - 2017 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 ICIATE - 2017 Conference Proceedings Prevention of Coldboot Attack on Linux Systems Measures to Prevent Coldboot Attack Siddhesh Patil Ekta Patel Nutan Dhange Information Technology, Atharva Information Technology, Atharva Assistant Professor College of Engineering College of Engineering Information Technology, Atharva Mumbai University Mumbai University College of Engineering Mumbai, India Mumbai, India Mumbai University Mumbai, India Abstract— Contrary to the popular belief, DDR type RAM boot attack techniques. We implement measures to ensure that data modules retain stored memory even after power is cut off. stays secure on system shutdown. Data security is critical for most Provided physical access to the cryptosystem, a hacker or a of the business and even home computer users. RAM is used to store forensic specialist can retrieve information stored in the RAM non-persistent information into it. When an application is in use, by installing it on another system and booting from a USB drive user-specific or application-specific data may be stored in RAM. to take a RAM dump. With adequate disassembly and analytic This data can be sensitive information like client information, tools, this information stored in the RAM dump can be payment details, personal files, bank account details, etc. All this deciphered. Hackers thrive on such special-case attack information, if fallen into wrong hands, can be potentially techniques to gain access to systems with sensitive information. dangerous. The goal of most unethical hackers / attackers is to An unencrypted RAM module will contain the decryption key disrupt the services and to steal information.
    [Show full text]
  • CIS 4360 Secure Computer Systems Attacks Against Boot And
    CIS 4360 Secure Computer Systems Attacks against Boot and RAM Professor Qiang Zeng Spring 2017 Previous Class • BIOS-MBR: Generation I system boot – What BIOS and MBR are? – How does it boot the system? // Jumping to MBR – How does multi-boot work? // Chain-loading • The limitations of BIOS and MBR – Disk, memory, file system, multi-booting, security, … • UEFI-GPT: Generation II system boot – What UEFI and GPT are? – How does it boot the system? // UEFI boot manager – How does multi-boot work? // separate dirs in ESP CIS 4360 – Secure Computer Systems 2 Limitations of BIOS-MBR • MBR is very limited – Support ~2TB disk only – 4 primary partitions at most (so four OSes at most) – A MBR can store only one boot loader • BIOS is very restrictive – 16-bit processor mode; 1MB memory space (little spare space to accommodate a file system driver) – Blindly executes whatever code on MBR CIS 4360 – Secure Computer Systems 3 UEFI vs. BIOS • Disk partitioning schemes – GPT (GUID Partition Table): part of UEFI spec.; to replace MBR – MBR supports disk size 232 x 512B = 2TB, while UEFI supports much larger disks (264 x 512B = 8,000,000,000 TB) – MBR supports 4 partitions, while GPT supports 128 • Memory space – BIOS: 20-bit addressing; UEFI: 32-bit or 64-bit • Pre-OS environment – BIOS only provides raw disk access, while UEFI supports the FAT file system (so you can use file names to read files) • Booting – BIOS supports boot through boot sectors (MBR and VBR) – UEFI provides a boot partition of hundreds of megabytes (and boot manager and secure boot) CIS 4360 – Secure Computer Systems 4 Previous Class How does dual-boo-ng of Linux and Windows work in UEFI-GPT? Each vendor has a separate directory storing its own boot loader code and configuraon files in the ESP (EFI System Par--on).
    [Show full text]
  • Self-Encrypting Deception: Weaknesses in the Encryption of Solid State Drives
    Self-encrypting deception: weaknesses in the encryption of solid state drives Carlo Meijer Bernard van Gastel Institute for Computing and Information Sciences School of Computer Science Radboud University Nijmegen Open University of the Netherlands [email protected] and Institute for Computing and Information Sciences Radboud University Nijmegen Bernard.vanGastel@{ou.nl,ru.nl} Abstract—We have analyzed the hardware full-disk encryption full-disk encryption. Full-disk encryption software, especially of several solid state drives (SSDs) by reverse engineering their those integrated in modern operating systems, may decide to firmware. These drives were produced by three manufacturers rely solely on hardware encryption in case it detects support between 2014 and 2018, and are both internal models using the SATA and NVMe interfaces (in a M.2 or 2.5" traditional form by the storage device. In case the decision is made to rely on factor) and external models using the USB interface. hardware encryption, typically software encryption is disabled. In theory, the security guarantees offered by hardware encryp- As a primary example, BitLocker, the full-disk encryption tion are similar to or better than software implementations. In software built into Microsoft Windows, switches off software reality, we found that many models using hardware encryption encryption and completely relies on hardware encryption by have critical security weaknesses due to specification, design, and implementation issues. For many models, these security default if the drive advertises support. weaknesses allow for complete recovery of the data without Contribution. This paper evaluates both internal and external knowledge of any secret (such as the password).
    [Show full text]
  • Low-Cost Mitigation Against Cold Boot Attacks for an Authentication Token
    Low-cost Mitigation against Cold Boot Attacks for an Authentication Token Ian Goldberg?1, Graeme Jenkinson2, and Frank Stajano2 1 University of Waterloo (Canada) 2 University of Cambridge (United Kingdom) Abstract. Hardware tokens for user authentication need a secure and usable mechanism to lock them when not in use. The Pico academic project proposes an authentication token unlocked by the proximity of simpler wearable devices that provide shares of the token’s master key. This method, however, is vulnera- ble to a cold boot attack: an adversary who captures a running Pico could extract the master key from its RAM and steal all of the user’s credentials. We present a cryptographic countermeasure—bivariate secret sharing—that protects all the credentials except the one in use at that time, even if the token is captured while it is on. Remarkably, our key storage costs for the wearables that supply the cryp- tographic shares are very modest (256 bits) and remain constant even if the token holds thousands of credentials. Although bivariate secret sharing has been used before in slightly different ways, our scheme is leaner and more efficient and achieves a new property—cold boot protection. We validated the efficacy of our design by implementing it on a commercial Bluetooth Low Energy development board and measuring its latency and energy consumption. For reasonable choices of latency and security parameters, a standard CR2032 button-cell battery can power our prototype for 5–7 months, and we demonstrate a simple enhancement that could make the same battery last for over 9 months.
    [Show full text]
  • Zenworks 2017 Update 4 Troubleshooting Full Disk Encryption January 2019
    ZENworks 2017 Update 4 Troubleshooting Full Disk Encryption January 2019 This document provides troubleshooting guidelines for common problems related to ZENworks Full Disk Encryption. If, after completing the troubleshooting steps, the problem is not resolved, you should contact Technical Support (https://www.novell.com/support/) for additional help. 1 Windows PE Emergency Recovery Disk (ERD) is not working Make sure you have installed the correct WAIK architecture (32-bit vs 64-bit) (Windows 7 only) If you manually created the ERD, use the PowerShell script provided in the Cool Solutions “Windows Powershell script to create a Windows PE emergency recovery disk for ZENworks Full Disk Encryption” article. Try creating the ERD using the ADK for Windows instead of Windows AIK. See “Creating a Windows PE Emergency Recovery Disk” in the ZENworks Full Disk Encryption Emergency Recovery Reference. Try burning the ERD to a DVD rather than a CD. 2 Issues with PBA login or boot sequence After pre-boot authentication occurs, the BIOS or UEFI settings must be correctly set for Windows. With unusual DMI hardware configurations, the standard ZENworks PBA boot method and Linux kernel configuration used to provide the BIOS settings, might not work, resulting in hardware that does not function correctly or is not recognized by Windows. Beginning in ZENworks 2017 Update 2, the Full Disk Encryption Agent includes DMI menu options to repair the boot sequence for issues relating to these DMI configurations. This menu is accessible by using the Ctrl + G keyboard command at a brief point when Full Disk Encryption is shown during a device restart.
    [Show full text]
  • Disk Encryption with 100Gbe Crypto Accelerator
    Disk Encryption with 100GbE Crypto Accelerator Chelsio T6 vs. Intel AES-NI vs. Software Enabled Encryption Executive Summary Chelsio Crypto Accelerator is a co-processor designed specifically to perform computationally intensive cryptographic operations more efficiently than general-purpose CPUs. Servers with system load, comprising of cryptographic operations, see great performance improvement by offloading crypto operations on to the Chelsio Unified Wire adapter. Chelsio’s solution uses the standard crypto API framework provided by the operating system and enables the offloading of crypto operations to the adapter. This paper showcases the disk encryption acceleration capabilities of Chelsio T6 adapters by comparing its performance with Intel AES-NI and software encryption. Chelsio solution excels with 100Gbps Crypto rate performance for both encryption and decryption with less than 50% CPU usage. Chelsio’s T6 encryption solution assures complete data protection to datacenters, while providing substantial savings on CPU and memory. Chelsio Disk Encryption Offload The Terminator 6 (T6) ASIC from Chelsio Communications, Inc. is a sixth generation, high performance 1/10/25/40/50/100Gbps unified wire engine which offers crypto offload capability for AES and SHA variants. Chelsio’s disk encryption solution is a special case of data at rest protection where the storage media is a sector-addressable device. Chelsio offloads the AES-XTS mode, which is designed for encrypting data stored on hard disks where there is no additional space for an integrity field. AES-XTS builds on the security of AES by protecting the storage device from many dictionary and copy/paste attacks. Chelsio crypto driver registers with the kernel crypto framework with high priority and ensures that any disk encryption request is offloaded and processed by T6 adapter.
    [Show full text]
  • Speeding up Linux Disk Encryption Ignat Korchagin @Ignatkn $ Whoami
    Speeding Up Linux Disk Encryption Ignat Korchagin @ignatkn $ whoami ● Performance and security at Cloudflare ● Passionate about security and crypto ● Enjoy low level programming @ignatkn Encrypting data at rest The storage stack applications @ignatkn The storage stack applications filesystems @ignatkn The storage stack applications filesystems block subsystem @ignatkn The storage stack applications filesystems block subsystem storage hardware @ignatkn Encryption at rest layers applications filesystems block subsystem SED, OPAL storage hardware @ignatkn Encryption at rest layers applications filesystems LUKS/dm-crypt, BitLocker, FileVault block subsystem SED, OPAL storage hardware @ignatkn Encryption at rest layers applications ecryptfs, ext4 encryption or fscrypt filesystems LUKS/dm-crypt, BitLocker, FileVault block subsystem SED, OPAL storage hardware @ignatkn Encryption at rest layers DBMS, PGP, OpenSSL, Themis applications ecryptfs, ext4 encryption or fscrypt filesystems LUKS/dm-crypt, BitLocker, FileVault block subsystem SED, OPAL storage hardware @ignatkn Storage hardware encryption Pros: ● it’s there ● little configuration needed ● fully transparent to applications ● usually faster than other layers @ignatkn Storage hardware encryption Pros: ● it’s there ● little configuration needed ● fully transparent to applications ● usually faster than other layers Cons: ● no visibility into the implementation ● no auditability ● sometimes poor security https://support.microsoft.com/en-us/help/4516071/windows-10-update-kb4516071 @ignatkn Block
    [Show full text]
  • The Growing Impact of Full Disk Encryption on Digital Forensics
    digital investigation 8 (2011) 129e134 Available online at www.sciencedirect.com journal homepage: www.elsevier.com/locate/diin The growing impact of full disk encryption on digital forensics Eoghan Casey a,*, Geoff Fellows b, Matthew Geiger c, Gerasimos Stellatos d a cmdLabs, 1101 E. 33rd Street, Suite C301, Baltimore, MD 21218, United States b LG Training Partnership, United Kingdom c CERT, United States d CACI International, United States article info abstract Article history: The increasing use of full disk encryption (FDE) can significantly hamper digital investi- Received 16 March 2011 gations, potentially preventing access to all digital evidence in a case. The practice of Received in revised form shutting down an evidential computer is not an acceptable technique when dealing with 17 September 2011 FDE or even volume encryption because it may result in all data on the device being Accepted 24 September 2011 rendered inaccessible for forensic examination. To address this challenge, there is a pressing need for more effective on-scene capabilities to detect and preserve encryption Keywords: prior to pulling the plug. In addition, to give digital investigators the best chance of Digital forensics obtaining decrypted data in the field, prosecutors need to prepare search warrants with Full disk encryption FDE in mind. This paper describes how FDE has hampered past investigations, and how Hard drive encryption circumventing FDE has benefited certain cases. This paper goes on to provide guidance for Volatile data gathering items at the crime scene that may be useful for accessing encrypted data, and for Memory forensics performing on-scene forensic acquisitions of live computer systems.
    [Show full text]
  • The Future of Digital Forensics
    Royal Holloway Information Security Thesis Series | The future of digital forensics The future of digital forensics Investigators have three avenues of attack to use when tackling the complexities of full disk encryption by Nia Catlin, MSc in information security (Royal Holloway) and Lorenzo Cavallaro, ISG, Royal Holloway THINKSTOCK Royal Holloway Information Security Thesis Series | The future of digital forensics The future of digital forensics in the era of full disk encryption Full disk encryption presents a theoretically insurmountable challenge for digital forensics, but authorities still have three avenues of attack for attempting to analyse protected devices. Anti-forensic countermeasures pose a developing challenge, however by Nia Catlin and Lorenzo Cavallaro In the past, forensics relied on artifacts left behind on a suspect’s computer, an intimate knowledge of all the nooks and crannies in which incriminating evidence may be hidden, the tendency of criminals to fail even to attempt to assume they will not be caught, and the failure of criminals to cover their tracks. Unfortunately for digital forensic investigators, their work constitutes a physical security breach, and the use of full disk encryption can be as effective at preventing them carrying out that work as it is at preventing a laptop thief from stealing passwords. The severe consequences of the exposure of corporate and customer data have led to the development of user-friendly and very secure full disk encryption. Moreover, the fear of device theft has led to its widening adoption. Most of the encryption algorithms – when used correctly – are considered unbroken for practical purposes, so authorities trying to analyse such a protected device are left with three avenues of attack: key search, live forensic acquisition and forced key disclosure.
    [Show full text]
  • Using Registers As Buffers to Resist Memory Disclosure Attacks Yuan Zhao, Jingqiang Lin, Wuqiong Pan, Cong Xue, Fangyu Zheng, Ziqiang Ma
    RegRSA: Using Registers as Buffers to Resist Memory Disclosure Attacks Yuan Zhao, Jingqiang Lin, Wuqiong Pan, Cong Xue, Fangyu Zheng, Ziqiang Ma To cite this version: Yuan Zhao, Jingqiang Lin, Wuqiong Pan, Cong Xue, Fangyu Zheng, et al.. RegRSA: Using Registers as Buffers to Resist Memory Disclosure Attacks. 31st IFIP International Information Security and Privacy Conference (SEC), May 2016, Ghent, Belgium. pp.293-307, 10.1007/978-3-319-33630-5_20. hal-01369563 HAL Id: hal-01369563 https://hal.inria.fr/hal-01369563 Submitted on 21 Sep 2016 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Distributed under a Creative Commons Attribution| 4.0 International License RegRSA: Using Registers as Buffers to Resist Memory Disclosure Attacks Yuan Zhao1;2;3?, Jingqiang Lin1;2, Wuqiong Pan1;2??, Cong Xue1;2;3, Fangyu Zheng1;2;3, and Ziqiang Ma1;2;3 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, China 2 Data Assurance and Communication Security Research Center, Chinese Academy of Sciences, China 3 University of Chinese Academy of Sciences, China {yzhao,linjq,wqpan,cxue13,fyzheng,zqma13}@is.ac.cn Abstract.
    [Show full text]